Korea encourages cloud computing adoption with world-first law

Last month, Korea passed the world’s first cloud-specific law, with the stated aim of driving the adoption of cloud computing in Korea. But what are the practical implications for cloud customers and cloud services providers in Korea?

When does it come into force?

On 3 March 2015, the Korean National Assembly passed the Act on the Development of Cloud Computing and Protection of Users (Cloud Act). The bill has been under consideration since October 2013. The final version of the Cloud Act is available here (currently only available in Korean).

The Cloud Act comes into force on 28th September this year. Before the Cloud Act comes into force, the Ministry of Science, ICT and Future Planning (Ministry) will establish additional rules for cloud services (as explained below).

What will it do?

The good news for cloud customers and cloud services providers alike is that the Cloud Act aims to promote the cloud market in Korea.

The Korean government sees cloud computing market as a vital industry for future IT development and intends to build a solid foundation to raise Korea’s global competitiveness in the industry.

The Cloud Act aims to do this by: (i) boosting investment and support in the cloud market, in particular by the government; (ii) permitting (and encouraging) the use of cloud services (including public cloud services) by public institutions; and (iii) placing appropriate safeguards on cloud services providers (CSPs).

Taking these three points in turn:

1. Korea is going to invest time and effort in enhancing the cloud market.

The government is keen to boost its investment in the cloud market. In this respect, under the Cloud Act, the Ministry is to establish plans (and update them every three years) to enhance the cloud market. This will include: setting out plans for the development of the cloud computing market; cloud computing related research and expert training; financial and other support for local SMEs providing cloud services and ancillary services, establishing pilot projects, tax incentives and collaboration with other countries.

2. Public institutions can and should use cloud services.

The Cloud Act encourages public institutions to implement cloud services as a priority, in order to benefit from cost efficiency, improving productivity and industrial competitiveness. In order to assist with this encouragement, the Cloud Act permits the use of cloud services by public institutions.

3. The bar for protecting customers’ information has been raised – and cloud customers should expect their CSPs to comply.

Security and privacy issues have always been perceived as being the main roadblocks to the use of cloud services. Therefore the Cloud Act imposes certain obligations on CSPs to try to remove the roadblocks and drive the use of cloud services in a way that addresses security and privacy concerns. In practical terms, CSPs have some new obligations to comply with, and cloud customers will want to look for CSPs who can meet these requirements. In particular, CSPs should note the following important points (and consider their compliance levels):

CSPs must report information leakage to their customers and the Minister. An investigation may then follow.

CSPs must not provide their customers’ information to a third party or use it for purposes other than the designated purpose without the consent.

CSPs must return or delete the relevant customer’s information upon termination of the relevant cloud contract.

If a CSP hosts a customer’s information outside of Korea, the customer may request the CSP to disclose the location.

If a customer incurs losses due to the deliberate or negligent acts of a CSP which violate the Cloud Act, the customer may bring a claim for compensation against the CSP. The onus will be on the CSP to prove that the CSP’s act was not deliberate or negligent.

The Minister will establish additional obligations that cover the quality/capability of cloud services, appropriate service levels and standards for information protection. It is anticipated that a cloud services certification system will be implemented.

A standardised contract for use when providing cloud services is also anticipated.

The new law has teeth

Any person who uses or discloses a customer’s information to a third party without consent shall be punished by imprisonment for not more than 5 years or with a fine not exceeding KRW 50 million (about USD 46,500). Slightly reduced levels of fines will apply to breaches of the other obligations listed above.

Areas not currently addressed

The Cloud Act doesn’t deal with data classification. One of the perceived hurdles, in particular for public institutions, to using cloud services, is the ability to determine what categories of data can be hosted by CSPs. There are different ways of categorising data and clear guidelines on the subject help to overcome this hurdle. This is an area that may be considered in the future. Nonetheless, the clear endorsement of cloud services in the Cloud Act will likely be sufficient evidence for most that the Ministry considers that cloud is appropriate for the vast majority of data held by public institutions.

The Cloud Act doesn’t address the limits imposed by other (quite strict) regulations in Korea. For example, the financial services sector is subject to strict regulations that are potentially delaying the adoption of cloud services in the sector. CSPs and cloud customers alike will be hoping that this clear endorsement of cloud will drive regulatory change in other sectors.

The Cloud Act states that the Personal Information Protection Act (PIPA) will continue to apply in regard to personal data. However, as the Ministry develops further plans and regulations, the obligations in the Cloud Act will sit alongside those in the PIPA and will likely add a layer of additional requirements (although the focus of these additional obligations will be CSPs).

The Cloud Act doesn’t, as yet, point to any particular international standards. In other countries, authorities point to international standards (e.g. ISO/IEC 27001 and ISO/IEC 27018) as appropriate measure to assess CSPs, i.e. does the CSP comply with these standards. It’s interesting to note that the controls in the new international standard for public cloud services, ISO/IEC 27018, appears to meet many of the new requirements included in the Cloud Act (and goes further than many of them), so CSPs who comply with ISO/IEC 27018 will not have any trouble complying with the new Cloud Act requirements. For more on this go here.

What next?

CSPs should consider their levels of compliance and cloud customers should, as a matter of good practice whenever they procure or use cloud services, ask their CSP how their solution complies with the Cloud Act. Reputable CSPs should have no problems providing a satisfactory response to customer questions about the Cloud Act.

In addition, CSPs and customers alike should wait for further updates from the Ministry on the plans to support the cloud market and the plans for further obligations/requirements in relation to cloud services.

We will keep you updated on further developments.

With thanks to Matthew Hunter, Olswang Associate in the Singapore office, for his contribution to this article.